[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-1
Subject: [FW-1] RE : [FW-1] RE : [FW-1] Problems with DMZ network with NG AI R54!
From: Raz BIRAMAH <razpro2002 () YAHOO ! FR>
Date: 2004-03-27 15:30:11
Message-ID: !~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAkpIzZVfGjEmBhhLwPMWcf8KAAAAQAAAAVOb2bJ29VkWHR3uzHnFHYAEAAAAA () yahoo ! fr
[Download RAW message or body]
Thanks a lot,
I have already put a route on the VSAT router for all packets for the
DMZ net; something like:
route add 200.1.1.0 mask 255.255.255.0 gateway 200.1.1.2
for the nat of the DMZ, i will check once again, but i'm practically
sure that is not the case.
Raz
-----Message d'origine-----
De : juan.carcavallo@edinfor.com.br
[mailto:juan.carcavallo@edinfor.com.br]
Envoyé : samedi 27 mars 2004 14:15
À : Mailing list for discussion of Firewall-1
Cc : razpro2002@YAHOO.FR
Objet : Re: [FW-1] RE : [FW-1] Problems with DMZ network with NG AI R54!
Hi Raz,
I am shure you are natting the machines in the DMZ, you need to create
one
route to each server in the Vsat Router, I will give you one example.
Host A:
Real IP - 10.1.1.1
Natted IP - 200.1.1.1
Firewall machine:
External IP: 200.1.1.2
DMZ IP: 10.1.1.2
You need to create the follow route in the Vsat Router (Internet
router):
Something like the follow:
route add 200.1.1.1 mask 255.255.255.255 gateway 200.1.1.2
This is necessary because the internet router will send arp requests to
the
host 200.1.1.2 but the machine is not in the external network so the
router
will not receive the arp reply, doing this route the router will send
all
packets sent to the 200.1.1.1 to the Mac address of your firewall
machine.
Any question please let me know,
Juan Bautista Carcavallo
Consultor de Segurança
Departamento Segurança da Informação
Av. Eng. Luis Carlos Berrini, 1253 - 3º Andar
04571-010 - São Paulo - SP - Brasil
Tel.: 55-11-5110-0285
Fax: 55-11-5505-9505
juan.carcavallo@edinfor.com.br
http://www.edinfor.com.br
"Concentre-se no seu negócio, deixe a informática conosco."
PS.: Just one question to remind, depending how your nat table are
created
the internal requests can be wrong nated, you need to create 2 manual
nat
rules:
One from the internal networks to the machine A keeping the original
address both in the source and destination.
And another with the opposite direction, from the host A to the internal
Networks.
|---------+-------------------------------------------->
| | Raz BIRAMAH <razpro2002@YAHOO.FR>|
| | Sent by: Mailing list for |
| | discussion of Firewall-1 |
| | <FW-1-MAILINGLIST@AMADEUS.US.CHEC|
| | KPOINT.COM> |
| | |
| | |
| | 27/03/2004 08:15 |
| | Please respond to Mailing list |
| | for discussion of Firewall-1 |
| | |
|---------+-------------------------------------------->
>-----------------------------------------------------------------------
---------------------------------------|
|
|
| To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
|
| cc:
|
| Subject: [FW-1] RE : [FW-1] Problems with DMZ network with NG
AI R54! |
>-----------------------------------------------------------------------
---------------------------------------|
Hi,
Yes i'm dynamically natting only the LAN behind the internet interface
of the gateway.
Raz
-----Message d'origine-----
De : Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] De la part de Robert
Plaenk
Envoyé : vendredi 26 mars 2004 18:55
À : FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Objet : Re: [FW-1] Problems with DMZ network with NG AI R54!
Are you natting? What version of the fw are you running?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Raz
BIRAMAH
Sent: Friday, March 26, 2004 12:30 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] Problems with DMZ network with NG AI R54!
Hi All,
Could somebody help me? I have a FW module with 4 interfaces dispatched
like this :
- eth0 connected to the LAN via a switch
- eth1 connected to the VPN via a Cisco VPN Router
- eth2 connected to the DMZ via a switch
- eth3 connected to Internet via a VSAT Router (RG2000)
Despite putting a specific rule, just after the Stealth one, which
specifies that all traffic from ANY to DMZ_NET must be allowed, my DMZ
servers can't be reach from the Internet. But from the LAN everything is
ok.
Is it any specific configuration to do on the FW module (installed on
SPLAT)?
Thanks a lot
Raz
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
************************************************************************
**************************
This E-mail message (including attachments, if any) is intended for the
use
of the individual or entity to which it is addressed and may contain
information
that is privileged, proprietary, confidential and exempt from
disclosure. If you are
not the intended recipient, you are notified that any dissemination,
distribution or
copying of this communication is strictly prohibited. If you have
received this
communication in error, please notify the sender and erase this E-mail
message
immediately.
Le présent message électronique (y compris les pièces qui y sont
annexées, le
cas échéant) s'addresse au destinataire indiqué et peut contenir des
renseignements
de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire
de ce document,
nous vous signalons qu'il est strictement interdit de le diffuser, de le
distribuer ou de
le reproduire. Si ce message vous a été transmis par erreur, veuillez en
informer
l'expediteur et les upprimer immédiatement.
** eSafe scanned this email for viruses, vandals and malicious content.
**
** www.netcyclops.com ***
************************************************************************
**************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic